Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/emerald-publishing/explaining-small-business-infosec-posture-using-social-theories-tQN4rLaST7
References (37)
-
Jan-Willem Bullee, Lorena Montoya, W. Pieters, M. Junger, Pieter Hartel (2015)
The persuasion and security awareness experiment: reducing the success of social engineering attacksJournal of Experimental Criminology, 11
-
R. Hertwig, Ido Erev (2009)
The description–experience gap in risky choiceTrends in Cognitive Sciences, 13
-
An analysis of decision under risk
Econometrica, 47
-
Stefan Fenz, Johannes Heurix, T. Neubauer, Fabian Pechstein (2014)
Current challenges in information security risk managementInf. Manag. Comput. Secur., 22
-
N. Weinstein, W. Klein (1996)
Unrealistic Optimism: Present and FutureJournal of Social and Clinical Psychology, 15
-
Embracing digital technology
MIT Sloan Management Review
-
Hyeun-Suk Rhee, Young Ryu, Cheong-Tag Kim (2012)
Unrealistic optimism on information security managementComput. Secur., 31
-
Sze‐Sze Wong (2008)
Judgments about knowledge importance: The roles of social referents and network structureHuman Relations, 61
-
S. Furnell, A. Jusoh, Dimitris Katsabas (2006)
The challenges of understanding and using security: A survey of end-usersComput. Secur., 25
-
D. Straub, R. Welke (1998)
Coping With Systems Risk: Security Planning Models for Management Decision MakingMIS Q., 22
-
E. Yechiam, Greg Barron, Ido Erev (2005)
The Role of Personal Experience in Contributing to Different Patterns of Response to Rare Terrorist AttacksJournal of Conflict Resolution, 49
-
M. Whitman (2004)
In defense of the realm: understanding the threats to information securityInt. J. Inf. Manag., 24
-
M. Siponen, Seppo Pahnila, Adam Mahmood (2006)
Factors Influencing Protection Motivation and IS Security Policy Compliance2006 Innovations in Information Technology
-
E. Laleh, Y. Masoudi, F. Fathy, S. Ghorbani (2013)
Influencing Factors of Information Security Management in Small- and Medium-Sized Enterprises and Organizations2013 International Conference on Communication Systems and Network Technologies
-
D. Kahneman, A. Tversky (1979)
Prospect theory: An analysis of decision under risk Econometrica 47 -
Roger Feagin (2015)
The value of cyber security in small business -
Chia-An Chao, A. Chandra (2012)
Impact of owner's knowledge of information technology (IT) on strategic alignment and IT adoption in US small firmsJournal of Small Business and Enterprise Development, 19
-
Petri Puhakainen, M. Siponen (2010)
Improving Employees' Compliance Through Information Systems Security Training: An Action Research StudyMIS Q., 34
-
M. Siponen (2006)
Six Design Theories for IS Security Policies and GuidelinesJ. Assoc. Inf. Syst., 7
-
16 surprising statistics about small businesses
Forbes
-
L. Valeri, Michael Knights (2000)
Affecting trust: Terrorism, internet and offensive information warfareTerrorism and Political Violence, 12
-
BITSIGHT (2015)
Cyber security myths versus reality: how optimism bias contributes to inaccurate perceptions of riskDimensional Research, 8
-
“Evaluating results of a small business security survey
-
Ebru Yildirim, G. Akalp, S. Aytac, Nuran Bayram (2011)
Factors influencing information security management in small- and medium-sized enterprises: A case study from TurkeyInt. J. Inf. Manag., 31
-
J. Bradley (1981)
Overconfidence in ignorant expertsBulletin of the psychonomic society, 17
-
R. Hertwig, Greg Barron, E. Weber, Ido Erev (2004)
Decisions from Experience and the Effect of Rare Events in Risky ChoicePsychological Science, 15
-
I. Olkin, Sudhish Churye, W. Hoeffding, W. Madow, H. Mann (1961)
Contributions to Probability and Statistics: Essays in Honor of Harold Hotelling, 124
-
M. Dlamini, J. Eloff, M. Eloff (2009)
Information security: The moving targetComput. Secur., 28
-
Qing Hu, Tamara Dinev, Paul Hart, Donna Cooke (2012)
Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational CultureDecis. Sci., 43
-
When social comparison goes awry: the case of pluralistic ignorance
-
A. Tsohou, Maria Karyda, S. Kokolakis, E. Kiountouzis (2015)
Managing the introduction of information security awareness programmes in organisationsEuropean Journal of Information Systems, 24
-
Rok Bojanc, B. Jerman-Blazic (2008)
An economic modelling approach to information security risk managementInt. J. Inf. Manag., 28
-
Atul Gupta, R. Hammond (2005)
Information systems security issues and decisions for small businesses: An empirical examinationInf. Manag. Comput. Security, 13
-
S. Furnell (2007)
Making security usable: Are things improving?Comput. Secur., 26
-
Sandip Patel, J. Graham, P. Ralston (2008)
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancementsInt. J. Inf. Manag., 28
-
L. Festinger (1954)
A Theory of Social Comparison ProcessesHuman Relations, 7
-
Atif Ahmad, S. Maynard (2014)
Teaching information security management: reflections and experiencesInf. Manag. Comput. Secur., 22
- Publisher
- Emerald Publishing
- Copyright
- Copyright © Emerald Group Publishing Limited
- ISSN
- 2056-4961
- DOI
- 10.1108/ICS-09-2015-0041
- Publisher site
- See Article on Publisher Site
Abstract
PurposeThis study aims to investigate information technology security practices of very small enterprises.Design/methodology/approachThe authors perform a formal information security field study using a representative sample. Using the Control Objectives for IT (COBIT) framework, the authors evaluate 67 information security controls and perform 206 related tests. The authors state six hypotheses about the findings and accept or reject those using inferential statistics. The authors explain findings using the social comparison theory and the rare events bias theory.FindingsOnly one-third of all the controls examined were designed properly and operated as expected. About half of the controls were either ill-designed or did not operate as intended. The social comparison theory and the rare events bias theory explain managers’s reliance on small experience samples which in turn leads to erroneous comprehension of their business environment, which relates to information security.Practical implicationsThis information is valuable to executive branch policy makers striving to reduce information security vulnerability on local and national levels and small business organizations providing information and advice to their members.Originality/valueInformation security surveys are usually over-optimistic and avoid self-incrimination, yielding results that are less accurate than field work. To obtain grounded facts, the authors used the field research approach to gather qualitative and quantitative data by physically visiting active organizations, interviewing managers and staff, observing processes and reviewing written materials such as policies, procedure and logs, in accordance to common practices of security audits.
Journal
Information and Computer Security – Emerald Publishing
Published: Nov 14, 2016